This is my personal opinion, and AFAIK there is no official statement from Oracle on this matter, but I think I can summarize the Oracle standpoint as follows:

There is a strong and reasonable concern about security. Oracle promise to its customers is that security breeches will be treated with discretion, and no information will be released that could help potential attackers;

There is also an equally strong but unreasonable concern that exposing any bugs and code commits to the public scrutiny will help MySQL competitors;

to address the security concern, Oracle wants to hide every aspect of the bug fixing that may reveal security-related information:

bug reports that mention how the breech happens;

comments to commits that explain what has been done to fix the issue;

test cases that show the problem being solved.

From the security standpoint, the above steps have been implemented, and they look effective. Unfortunately, they have the side effects that:

the bugs database is censored, and does not provide information to users about why they should upgrade;

the public trees under Revision Control System are mutilated. In fact, it looks like Oracle has just stopped updating them.

contributions to MySQL, which weren't easy before, are now made extremely harder;

trust in Oracle good faith as MySQL steward is declining.

The inevitable side effect is that the moves that have reduced the security risk have also partially addressed Oracle's concern about exposing its innovation to the competition, thus making MySQL de-facto less open. Was it intentional? I don't know. What I know is that these actions, which make MySQL less friendly for MySQL direct competitors, rather than damaging such competitors, are in fact getting the opposite effect, because traditional open source users will have more reasons for looking at alternatives, and these competitors will look more appealing now that Oracle has stiffened its approach to open source.

The main point with this whole incident is that Oracle values its current customers more than its potential ones. While MySQL AB was focusing its business to the customers that the open source model would attract to its services, Oracle wants first and foremost to make its current customers happy, and it doesn't consider the future ones coming from open source spread worth of its attention. In short, Oracle doesn't get the open source business model.

OTOH, Oracle is doing a good job in the innovation front. A huge effort is going into new features and improvements in MySQL 5.6, showing that Oracle believes in the business behind MySQL and wants to make it grow. This is an undeniable benefit for MySQL and its users. However, there is less openness than before, because the source comes out less often and not in a shape that is suitable for contributions, but the code is open, and there is growth in both Oracle (which is taking ideas and code from MySQL forks) and MySQL forks, which merge Oracle changes into their releases. Even though the game is not played according to open source purists rules, Oracle is still a main player.

What can we, the MySQL Community, do?

We need to reinforce the idea that the open source model still works for MySQL. The business side is the only one that Oracle gets. Unfortunately, the classical Oracle sales model does not see favorably a system where you get customers by distributing a free product and try to please non-customers, with the hope that some of them will eventually buy your services.

My point is that Oracle is unintentionally harming MySQL and its own image. If Oracle cares about MySQL, it should take action now to amend the fracture, before it becomes too deep.

I don't have a solution to this issue, but I thought that spelling out the problem would perhaps help to find one.

Assuming the new policy is to not publish test cases for security bugs, then what is a security bug? Bugs that allows a bypass of authentication and authorization are extremely rare. And the biggest one in my memory was recently found by Monty Program.

If bugs for things that crash mysqld are also security bugs then we are going to be missing a lot of test cases from future releases.

I think the policy should allow for these test cases to be eventually published. As there has been no public comment on the new policy all that I can do is guess.

Business processes are not created from decision around a board room table or in a management meeting. They evolve from lots of different actions that each seem perfectly sensible on their own. Business process is what tradition is for a family.And just like they originate organically, they cannot be changed simply through decision.

I completely agree with you that Oracle does not operate with bad intent. However, the consequences of its rational actions (and there are many aspects) still result in a borked environment, and given how such things work I don't see it changing, regardless of willingness, insight or understanding.

That's just not the way it works - these observations and conclusions can be readily and repeatedly performed on many companies. The outcomes are highly predictable. Many are successful (in terms of making $) but if you also care about other metrics, many are deficient.

In addition to security concerns Oracle is also using MySQL to compete in the Windows market against MS SQL Server. I don't get the impression that open vs. closed source counts for a lot in that market.